More than 170 different packages that collectively count nearly 180 million weekly downloads were infected by a self‑spreading worm that researchers say has now been open-sourced, raising the risk that the campaign will scale quickly.
How the Mini Shai‑Hulud worm operates
Security firms describe the latest variant as "Mini Shai‑Hulud" — part of the broader Shai‑Hulud family — and say it is "a true worm" designed to "spread autonomously" by harvesting credentials from infected hosts and using them to push malicious updates into other packages, according to StepSecurity. Ox Security said the campaign infected packages hosted on npm and PyPI, and Endor Labs called this the "fifth wave of the Shai‑Hulud malware family in eight months," and the second Mini campaign in two weeks.
The worm's credential‑harvesting capability is broad: StepSecurity says it looks in more than 100 hardcoded paths, including cloud platforms such as Amazon Web Services, Google Cloud Platform, Kubernetes and Microsoft Azure; developer tools and CI/CD pipelines; AI tools; crypto wallets; messaging apps such as Signal, Slack and Telegram; VPN configurations; and shell history files.
- The latest build adds a wiper and displays a warning that it will wipe the entire system if developers delete the worm's access token, prompting StepSecurity's advice: "do not revoke npm tokens before isolating the affected machine and imaging it for forensic analysis."
- Researchers also reported country‑aware logic in some payloads: Microsoft's security team said one payload "won't launch if it detects Russian language support in the operating system" and that if it detects signs of Israel or Iran it has a "one in six chance of executing a command to delete all files and directories from the infected system."
The TanStack compromise and a minutes‑long chain reaction
The campaign included a high‑speed strike on packages maintained by TanStack. TanStack said an attacker infected 42 different npm packages it builds "over a six minute period," with StepSecurity detecting the activity about 20 minutes later and directly notifying TanStack. TanStack deprecated the subverted versions and worked with npm security to pull the affected software from the registry.
Endor Labs noted the attack succeeded despite TanStack's security measures — including two‑factor authentication, trusted‑publisher bindings, and signed provenance attestations — because the attacker used "a novel technique - an orphaned commit pushed to a fork of the TanStack repository - to obtain a legitimate short‑lived publish token." TanStack maintainer Tanner Linsley wrote in a postmortem that "we got lucky" in part because the attacker's methods were noisy and reused known tradecraft, enabling rapid matching of indicators of compromise.
Mistral AI, package windows, and payload variability
TanStack's compromise rippled to other projects. Mistral AI reported that "an automated worm associated with the attack led to compromised npm and PyPi packages versions being published" of its own software. Those published versions were available for approximately three hours before being removed, and at least one PyPI version — version 2.4.6 — was found by Microsoft's security team to contain a credential stealer with the country‑aware behavior described above.
Not every infection executed successfully: Wiz reported that in the infected @mistralai/* and @uipath/* npm packages it identified "a bug in the payload that renders the malware non‑functional in those cases."
TanStack advised anyone who installed an infected version to rotate all keys that the installation host would have been able to reach.
Open‑sourcing the worm and stolen‑data dead drops
Researchers said the threat actor using the handle TeamPCP began releasing an open‑source version of the worm, posting repositories that included the tagline "Shai‑Hulud: Here We Go Again - Let the Carnage Continue. A Gift From TeamPCP," Ox Security reported. Of the two versions of the open‑source worm available as of Wednesday, one was copied into a separate repository 87 times and the other 15 times, according to the same reporting.
Ox Security also described a post‑exfiltration workflow: after stealing credentials, the malware uploads an encrypted copy of the stolen data to the victim's GitHub account under a new repository whose name is drawn from the Dune universe. Researchers counted more than 350 such repositories as of Tuesday.
What this means for technologists, open‑source maintainers, and enterprises
- Technologists and security teams: Government and private guidance converges on slowing automatic uptake of new packages. Ollie Whitehouse, CTO of the NCSC, told reporters at CyberUK that "these are detected quite quickly - detected in a matter of hours or days" and urged against minute‑by‑minute updates. StepSecurity and others recommend a code "cooldown period" before new packages are merged into CI/CD pipelines, and Ox Security urges enforcing multifactor authentication "across npm, GitHub and cloud accounts" and treating key rotation as routine rather than an emergency only.
- Open‑source maintainers: The TanStack incident shows attackers may exploit forks and short‑lived tokens; Endor Labs warned that even projects that "did everything right on paper" can be affected. Maintainers should assume an attacker may try orphaned commits and short‑lived publish tokens and coordinate closely with registry security teams if compromise is suspected.
- Enterprises and procurement leaders: If infected versions are installed, TanStack's instruction is clear — rotate keys reachable from the host. StepSecurity's warning to "do not revoke npm tokens before isolating the affected machine and imaging it for forensic analysis" makes incident sequencing critical: isolate and image before token revocation to preserve forensic evidence.
The immediate facts are stark: a worm that steals broad classes of credentials, now published in the open, has already traversed popular public repositories and briefly made weaponized packages available for millions of weekly downloads. The choices ahead are concrete — implement time‑based install logic, enforce multifactor authentication and routine key rotation, and treat token revocation as an evidence‑sensitive action — because, as StepSecurity and other researchers show, minutes and hours matter.
